Pages

Saturday, September 27, 2008

A question was posted to our JUG mailing list on how to lock a directory which contained an Adobe™ PDF file. In this example I want to cover a couple of really cool technologies, and how to implement them.

OpenDS is a project hosted on Java.net. It is an open source directory server which is based on the Sun™ SunOne™ Directory server and its predecessors (Netscape™ iPlanet™). It has a binary, or a Java™ Webstart deployment mechanism. It has a simple quick start setup including SSL based LDAP, and directory replication.

This is a simple to install, easy to use and configure, no-nosense LDAP server. It is a great server for prototyping.

Project Glassfish is an open source Java EE application server. It is simple to install and configure, and easy to use. The chances are pretty good that if you are reading this blog, you are familiar with its enormous benefits.

Case

The developer has a pdf file that is located inside a web project on the web server. The file can be bookmarked by users, but the developer wants to make sure that the user authenticates with the server before the file is displayed.

Now we need to configure our LDAP Security Realm in Glassfish. You may have multiple realms in Glassfish to accommodate application requirements.

1. Start Glassfish and login on http://localhost:4848. The default user is admin and password is adminadmin.

2. Go to Configuration --> Security --> Realms. Create a new Realm

Name: OpenDS

Class: com.sun.enterprise.security.auth.realm.LDAPRealm

JAAS context: ldapRealm

Directory: ldaps://localhost:1636

Base DN: dc=example, dc=com

Assign Group: ou=Groups,dc=example,dc=com

3. Add a property called group-target.

group-search-filter: member=%d

Note: The group-search-filter defines the attribute to look at when determining members of the groups. It may be member, memberurl, etc. depending on how you define your groups. In the example.ldif file, I have define the group as a groupOfNames which contains member [0...] attributes. The %d format expands to match the Relative Distinguished Name (RDN).

4. Save and you are done.

You have now configured Glassfish to use OpenDS.

Note: Since we configured it to use secure LDAP, remember to configure your server to use SSL to authenticate users. Otherwise the secure LDAP portion is a waste if the users are transmitting their usernames and passwords in cleartext over the network

I have created a sample Netbeans project which takes advantage of the new LDAP authentication. The project creates a page with a link to a PDF file located in a secured directory. The directory requires the user to authenticate using basic authentication implemented in the browser. If you fail to authenticate, it will produce a 403 error. The project is located here.

Once you successfully authenticate, you will see a list of popular software that runs on Glassfish.